By default, the AWS wizard creates an attribute set with the name AmazonWebServices. This attribute set has the following mappings:
Constant Value: It is created using the Role ARN and trusted SAML provider. It is mapped to Role.
For example: if Role ARN is arn:aws:iam::638116851885:role/NewRole and the Trusted SAML Provider ARN is arn:aws:iam::638116851885:saml-provider/NAM-IDP, then, the constant value is arn:aws:iam::638116851885:role/NewRole,arn:aws:iam::638116851885:saml-provider/NAM-IDP. This is mapped to the Role.
NOTE:When multiple roles are configured in AWS, create a virtual attribute to change Role ARN dynamically depending on the user. After creating a virtual attribute, create the corresponding attribute mapping. For information, see use case 3 in Sample JavaScripts with Examples.
LDAP Attribute: It is the givenName mapped to the Remote Attribute RoleSessionName. You can also map any other attribute instead of the givenName.
If you want to use any other LDAP attribute to be mapped for RoleSessionName, perform the following steps:
Click Devices > Identity Server > Shared Settings > Attribute Sets > AmazonWebServices > Mapping.
In the attribute list, select the existing LDAP attribute set.
Click Delete.
Click Apply > OK > New.
In Add Attribute Mapping, specify the following details:
Local attribute: Select a local attribute from the available list.
Remote Attribute: Specify RoleSessionName.
Remote nameSpace: Specify http://aws.amazon.com/SAML/Attributes/
Click OK > Finish.
Click Devices > Identity Servers > Edit > SAML 2.0.
Select AWS and click Attributes.
Select the new attribute set from Available and move it to Send with authentication.
Click OK, then update Identity Server.